Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Hacking a WordPress Botnet

While analyzing some of the attacks we see on the Wordfence Web Application Firewall, we discovered code that an attacker was trying to upload that was part of a botnet. In case you’re not in the information security space, a botnet is a network of ‘bot’ or ‘zombie’ machines that is controlled from a central command and control or C&C server.

In the case of this botnet, it was controlled via a chat service called IRC or Internet Relay Chat. IRC is a popular way of controlling botnets because you can have all the ‘bot’ or zombie machines connect to the chat server and join a channel to receive broadcasts. This allows the botnet owner to simply sign into the chat server and broadcast commands to all the zombies which they run at the same time.

The code below shows a typical hack attempt where the attacker is trying to inject their botnet code into a targeted WordPress site. Wordfence blocks this attack and any attack that includes this botnet code.

Once a WordPress site is compromised with this attack, the infected server connects to an IRC chat server, ready to receive commands and do the botnet owner’s bidding.

The owner might use those zombie WordPress sites to attack more sites. Or he might use them to launch a distributed denial of service or DDoS attack on someone, overwhelming them with traffic. He could also simply deface all the sites in his botnet with SEO spam.

The hashed password is shown next to LND-Bloodman’s username above. We’ve blurred the encoded command and control server IP address. The content length is over 25K so this is a reasonably long script.

The Wordfence team decided to analyze the botnet code and try to identify who was running the botnet.

Going After the Command and Control Servers

During our analysis of the malicious code, we found five IP addresses of IRC command and control servers (C&C servers) for this botnet. Two of them were down. Three were still up.

We created modified zombie code to connect to the C&C servers and do further analysis. Our code was designed to save all files it was commanded to download. It would also log all commands sent to it and not actually do anything malicious.

The botnet owner’s nickname/handle appears to be Bloodman.

One of the things we were hoping to get by doing this is Bloodman’s password that he uses to control his botnet. He had built his botnet zombie code so that whenever he sent a command to the zombies via the C&C server, it included a password.

The zombies would hash that password, compare the hash to what is stored in the code and if it matches, would know it’s Bloodman sending the command and would run the command.

The oldest Google result mentioning this hash is from December 2012 and is a request to crack the hash and turn it into the password which is still unsuccessful. This indicates with a high degree of certainty that Bloodman has been active and using this password since December 2012.

If one can reverse this hash, you can simply sign into any IRC server that Bloodman is using and have immediate control of his botnet.

We connected to all three of his C&C servers and after watching and waiting for about 48 hours we hit the jackpot. He signed in and sent a command to the botnet. We captured his password. The first part of it is:

1x33x7.0wnz-your.************

We’ve intentionally starred out the rest of the password (which is long) to prevent anyone else from taking control of these botnets.

This allowed us to take control of his botnet if we wanted to. It turns out Bloodman also refers to himself as 1x33x7.

At this point we connected to one of the botnet servers:

We’ve blurred out any IP addresses or identifying information. The server is named to look like some kind of FBI honeypot. Considering it’s actively hacking WordPress sites, we’re guessing it’s a joke on the hacker’s part.

Joining the channel #1x33x7 where all the bots hang out shows us the following when we ask for a list of users:

There are 31 infected machines shown excluding the three users. And there is also LND-Bloodman hanging out in the channel.

The format of the nicknames shows some information about the compromised system including what web server software it’s running.

Running IRC’s ‘whois’ command on a few of the zombies shows that some of them are FreeBSD unix boxes. Others are running Windows Server 2012 or Windows 8 – both identify as “Windows NT 6.2 Build 9200.”

Running ‘whois’ on the two Bloodman accounts gave us two IP addresses and a possible email address with a first name.

At this point we have enough information to go ‘active’ and take control of the botnet and shut it down. The botnet has enough functionality for us to first delete any infected code and then kill the processes running on remote machines, thereby destroying the part of the botnet that is connected to this command and control server.

We chose not to shut down the botnet for two reasons:

Firstly the Computer Fraud and Abuse Act does not allow us to hack the hackers. So even though we had passively connected to this hacker’s command and control system, going active and changing the system could land us in some hot water with the FBI. We would rather observe and report because that is all the law allows unless you work for the military or a military agency in the United States.

Secondly, we were concerned that we may not have all the information and we may actually do harm by trying to disinfect remote machines.

We don’t think that shutting down a single C&C server or even all three C&C servers and their respective bots would do much good. Bloodman would simply regroup and reinfect new sites with new C&C servers.

Attribution – Who is doing this?

To try to determine who controls this botnet, we started with both usernames that appear in the source code: Bloodman and 1x33x7. One of those usernames pointed us to a Twitter account. The Twitter account contains a german slogan “I am root” and various images of what is probably the botnet owner’s face.

The Twitter account links to a YouNow profile which is a live video broadcasting service – it uses the same username.

The YouNow profile linked to a YouTube account that uses the second username, which contains plenty of identifying information and a video of the botnet controller bragging about his botnet. He speaks German, likes to play with fireworks and we know what car he drives and have images of various German roads.

In addition to the open source intelligence above, we mined public data leaks and found a user profile on a hacker website that includes one of the usernames and the IP address the user last signed in from. That IP address is in Germany and belongs to Deutsche Telekom. Providing this to the authorities would probably reveal his full identity from ISP logs.

Conclusion

This is a small botnet with under 100 infected machines when you combine all the C&C servers together. This individual is launching under 2000 attacks per week. While they are inconvenient and consume resources, they are all blocked by the Wordfence Firewall.

We are working with net block owners to let them know about machines, particularly C&C servers that are on their network and are likely compromised.

We think that discussing the tactics, techniques and procedures of attackers, both small and large helps us all better understand what we are protecting our WordPress sites against and how to do a better job.

Um, why did it take a comment on this article for you to contact the authorities? It seems to me that once you'd reached the "anything else would be illegal" stage (I.E. taking control) the next logical step would be to turn the botnet information over to the appropriate agencies.

Michael, you have to keep the context in mind: What the WordFence folks did here was the equivalent of carefully observing and documenting how a pickpocket operates. There are thousands, perhaps tens of thousands of "Bloodmans" out there.

What Wordfence learned (and shared) is far more valuable than going after this one guy, because his methods are probably shared by many others.

Should it be report and ideally, he would be pursued? Absolutely. I'm guessing that neither U.S. or German authorities will be greatly interested unless there's evidence Bloodman is causing significant financial or political damage. Just too many other, bigger hacks going on in the world.

It's an interesting debate. This isn't a big fish by any stretch of the imagination. It also requires significant effort on our part to reach out to german authorities, find the right person, hope they're interested, provide evidence in an ongoing investigation etc. I don't think this attacker is a big enough player to justify that level of effort, but I'd like to hear thoughts from the rest of the community.

Our approach is really to treat the symptoms by doing a very effective job of blocking any attacks guys like this launch and doing ongoing deep analysis of their TTP's.

What if you just, in a very thinly veiled highly hypothetical sense, elude to the fact he is connected with ISIS and this botnet is helping fund their cause? It's a theory, but I bet you several agencies and governments will drop everything to investigate! ;) (come now, trump makes more outrages claims than you would if you did and chose your words correctly)

Even a small hacker can have other usernames that control other or larger botnets. or belong to a group that does. I'm sure the authorities would find out more but if you never give them a chance we will never know.

Hi Mark. Thanks for the reply... and thanks for all your work on this one (and for sharing). One of my "day jobs" is helping to run an online classified ad website and trying to keep the scammers at bay. Catching any one of them would be relatively easy, but it has been impossible to find anyone in law enforcement that cares. They tell me that I would need to document at least $250,000 in losses to get their attention. In other words, they are not interested in pro-actively taking down a scammer... they have to wait until there are victims which have suffered huge losses. It's a sad situation.

Since you are open to public comment on this... I say... yes, go ahead and try... and document what you do and how it goes. I think the entire story, from beginning to end, should be told. It may be eye-opening. In other words, why let this be the end of the story. The process of contacting law enforcement, the (likely) pointing of fingers, the (likely) passing you from one place to another, etc., would all be as interesting to read as the first half of the story (in my opinion).

Hi Mark,
From my personal experience I can tell you that contacting the national CERT team helps. They usually act like middlemen between authorities and the one reporting a crime. Or at least they do here in Romania.

It may be small-time, but guys like BloodMan can grow to be big problems if they aren't controlled.

Thanks for taking the time to write this article! A very interesting read, as I feel like I know individuals who like to play around like this and aren't aware they are also being watched. Looking forward to your next update

Always love ur blog posts where you detail such methods. Now matter how small, I hope you also reported this to German authorities, have a log and even confronted this so called 'hacker'. It would be more awesome if you can then show us some conversation you had with him (with translation of course). Want to know the mindset behind these (i know it's not always money)

I am surprised people still use IRC (esp this so called hacker..maybe he thought no one uses it thats why decided to use it cause its free to use a public server... But it is not private at all! Bad move on the hacker part.

Fascinating! When I read that you didn't take control of the bot, I thought, "What's the hacker going to do, report you?" But, I understand and appreciate your integrity. Keep up the great work, and thanks for the protection!

Hmm ... I wonder if this is the bot that tried to access my site yesterday from various parts of the world?

You asked for thoughts on turning him in: I think you should report him. Yes, he may be a little fish, but little fish grow up to be big fish and get into lots of trouble. Nip it in the bud, so he knows he isn't invincible and that someone is watching him (because, hopefully, someone WILL be watching him after this).

If you want to report what you found to authorities, this would be the contact to the cybercrime department of Germany's Bundeskriminalamt (BKA - similar to FBI):
Phone: +49 611 55-15684
SO41-NKC@bka.bund.de

You should contact them yourself and refer them to this article. I'm sure they would appreciate it. Wouldn't it be a shame if he was a person known to the authorities, but they didn't have enough information or evidence to nail him yet?

I was kind of hoping the story would end with a reverse code that would send Bloodman's motherboard into an endless loop of frantic confusion, melting into Picasso-esque picture of a phenolic board, with resistors dripping off the bottom edge. I guess the FBI won't let you do that, either, but I enjoyed the thought.

Years ago a group of CB radio operators tracked down an asshole that was constantly interfering with user traffic with a high-powered (illegal) RF amplifier. That night a needle was driven through his antenna co-ax. When he keyed up he fried his amplifier.

He also received several not-so-veiled anonymous threats on his life and the well-being of his family, and his home address was repeatedly broadcast on all the channels.

His house and car was egged several times, and his tires were punctured.

Hey guys, as always thanks for your input. Just want to reemphasize that we don't condone witch hunts and in fact we actively discourage anything like that. I think I mentioned that in last week's post.

I think the trick here is to get the data out in a way that exposes bad behavior, gives the community the information it needs to protect itself and then see it's dealt with in the proper way. Bruce, while I can understand the temptation to do that kind of thing, let me share a similar story where an offender was dealt with properly.

I'm a radio ham and have been for several years now. For a while there was a guy on 14Mhz who was behaving really badly. The FCC went after him, triangulated him and fined him $3500 late last year. That's more money than a new amplifier costs and the penalty if he is a repeat offender will be much worse.

This was a fascinating article. I'm glad we ( you and others that understand it all) were able to get some good information from the operation. I am confused and a bit concerned why things in the virtual world are sooo different from the real world. If I witnessed a crime and was able to learn how it was plotted, planned and executed that could be really helpful to stop others, but I'm not sure it would be ok to just let the crook walk away free from consequence. Isn't the new idea... See something, say something. Well, again thanks for sharing the article it was very interesting.

I would encourage you to make some kind of report to appropriate authorities in Germany, the USA, wherever.
All of the most dangerous and predatory hackers started small. I may be that this person is only playing around and will never be a real threat, but you never know. If his identity and MO is in a police database, it may be helpful in minimizing some future attack that does real damage.

Mark, try contacting the local chapter of the Association of Certified Fraud Examiners in Germany. They are very active in fighting cybercrime and will likely know how to reach the proper authorities. They might even do it for you.

YAY! Exactly. Rather at least trying than doing nothing. Even just a small fish can grow big. Those guys have to learn straight from the start. I quite often report just little attempts to any abuse email address. I do not mind whether they will ever do anything about the script kiddies and others, but at least I reported it.
Without reporting, surely nothing will happen.

Spending your time learning more about the bot networks and the hackers and perhaps learning ways frustrate or defeat their efforts seems like a much better use of your time than trying to provide users with lists of IP addresses to manually block bots. There are just too many of them. The software to create bot networks is readily available on black sites.

I'm not sure where I saw it but I watched a video of a group that tracked a hacker back to his FB account and actually had pictures of the Russians who were doing the hacking.

I am continually amazed at how many failed login attempts I receive each day for our business website. I can't imagine the benefits of being able to hack our site. Then again, I'm certain there must be something in it for the other people. This is a really interesting read. I am continually pleased with the protection your company provides. Thanks.

I used to be quiet involved in online fraud, 419 scammers etc. I remember one conversation with Law enforcement where they practically pleaded with me NOT to give them information as I was not a "registered source" and I could not be.
Any information I gave would be inadmissible in court.
If WF were to do one thing out of line, it would be impossible to convict the scammer.
I have a lot of respect for WF especially after the last weeks episode with the dodgy WP plugin maintainer. I do believe that the best way to combat this is "slowly slowly catchy monkey". This might not give you fast results but it will give you longlasting ones.

For all who are critical about Mark not authorizing a takedown, he is absolutely right to be cautious, legally and ethically. It's easy to act tough about how you would handle it, when it's of no consequence to you. The fact that he shared the process and evidence is to be commended.

It's not a question of political correctness (a term that gets bantied about on political grounds a lot here in the State's these day), it's about balancing the good you can do without crossing the line of legal liability, your business policies and interests, and the bigger picture. Believe me, we go down that road more often than I'd like here. Mark, you and your team rock. Kudos from ours to yours 🤗

I am one of your premium members and I totally appreciate these type of reports. I am writing an ebook to educate my audience on what is truly happening with our websites. A lot of what I know now came from working with your plugin which is amazing.

I acknowledge you guys for the work you do! Superb!

P.S. I posted the article on my Facebook Fan Page but your page here did not count it. Check it?

Umm, Dan, did you raecd the first line in the post above? Protecting wp-login does not do ANYTHING in this case as he is uploading his code to the evoplugin. This is only one of many (old) compromised plugins.
I see this all the time bots trying to upload stuff to plugins. One mildly helpful solution is to block access after 1 or a few 404's, cause they are trying known vulnerable plugins.

This was fascinating. Two of my sites have been under attack for weeks, and as I was reading this report more notifications came in. It occurred to me that both are running the Deep Focus theme, so I am going to change them and see if it stops.

I was hacked many years ago and 1500 malicious files (some bank information phishing files) were imbeded. Not fun. They gained account access as well and sent out a 100k webmail blast to email addresses in France through a proxy in Houston, and got my account shut down. The web host actually accused me of doing it, so I moved right afterward.

All I can say is that I'm very grateful for the work you guys are doing on Wordfence now, and for the continued updates on what you're doing.
Cheers
John

Great work guys, however:
You went all that way, waited 48 hours, monitored it, investigated etc and then telling me that the effort of reporting it was not worth it because of a small fish... ???
Well, a small fish will grow big eventually.
Why not at least trying to report? Better than doing nothing. You know, you can write to German authorities in English ;-) Even if you do not find the correct person, chances are that eventually it will end up with the right one.

Awesome work! Although I do agree with those who believe that this hacker should be 'dealt to'. I prescribe to the old adage of 'a stitch in time, saves nine'. These parasites need to be exposed and held legally accountable before they get better at their 'trades' and cause even more damage. 4 years of 'criminal activity/nuisance' is no passing fancy and the resources already expanded to counter his actions must surely be reason enough for legal enforcement to be involved. If there, isn't such an avenue in place, then we (You who work behind the scenes on this type of work) should be lobbying our Governments to set something up.

I wouldn't worry about reporting this guy. I would continue to learn all you can. Little guys communicate with other hackers. They learn on the same hacker boards. They teach each other. I run numerous websites, and am constantly amazed at the number of hacker attempts I receive every day from all of my little websites that have nothing to do with anything important.

We are in a digital war, and the combatants are not allied with countries, they are allied with others of the same ilk. We need to continue research, share our research, and block enough to make it unprofitable.

Take out this one and 50 others will slide into their place. There are a lot more of us than either the government or the ilk. If I were a better programmer, I would spend my time doing what wordfence is doing. But I would turn their bot on themselves any time I got the chance.

Sometimes keeping an eye on the little fish and his activities (and progression, and ideas) is more valuable than slapping him down and making the other fish dive deeper and get sneakier/smarter. There are always bigger fish, and this actually keeps us safer this way. Good job Mark, et al! And thank you for all that you do.

Some fantastic work, we did similar with a locky virus which seemed to trim elements of text from a sentence and then combining it with another command from another string of words. The commands made no sense but there is extreme lengths some of these people go to, to hide their dirty work and that's what is worrying.

Awesome sleuthing Mark. You guys do such a great job. One of my sites was suddenly under a brute force attack a week or so ago - I hadn't yet implemented one of my other smaller (but effective) strategies or included all of WF's options that I have available to me there - when I did, it was smooth sailing again.

Nice job! This guy seems to be a script kiddie wannabe because he didn't even cover his tracks well at all. He should have never linked his aliases to any personal accounts or went bragging on youtube. The fact that his system had glaring security flaws that allowed his info to get sniffed is funny as well. I can't even respect this person as a "hacker", just probably a teenager thinking they are cool playing the role of a "hacker".

Hi, thanks for reporting this. Like many previous posts I also believe this should be reported to appropriate authorities (although I concede that there may be actions you've undertaken that you did not describe in your post).

I recommend reading "The Cuckoo's Egg" by - from memory - Clifford Stoll. The technology used is now well dated, but the process he used to track down a hacker and the potential impacts of the hacking activity make for a compelling read.

Keep in mind that some of these bot networks have connections to organized crime. If you go too public with what you are doing you could be putting yourself or your employees in danger. Ask John Horton.

Heh if you fu****s [starred by mod] will choose to delete every post that is bad 2 your plugin.... sooner or later you'll run into some one that will unleash a hail storm against your plugin. What you Give... or Deny... is What You Get!

Do not try to fu** [starred by mod] with people like only sweet and nice post... are posted on your article. You can sensor out shit... on your blog 4 sure... but people GET PISSED BOUT THAT! AND MAY DO SOME RESEARCH INTO YOUR SHIT THAT YOU WILL NOT LIKE SO MUCH!

The main takeaway here is that every site owner should be updating with security patches at least once a week. It would seem that some people aren't even trying, and perhaps like Microsoft no longer supporting windows 95, 98, etc. sites running an outdated OS should be taken offline by the network hosting company. Just a thought.

A note to those that are frustrated by not being able to do anything: one of my sites was pretty heavily infiltrated by cialis spam last year. It took me a while to notice. After cleaning up the site, I continued to get spam links from at least 20 other sites in the spammer's network every so often. Each time I discovered a new link, I checked the sites and sent them a note showing pages on their sites that they did not know existed and introducing them to Wordfence and another similar service (I didn't want to be perceived as a spammer myself). Five or six of the sites got back with very embarrassed but grateful messages. So the spammer's network was at least partially dismantled, and the number of spammy links with medical keywords pointing to my site was reduced. It took a bit of time, but my messages were cut'n'paste after the first and I had the feeling I was doing something.

It's scary the number of sites out there that are either dead but still running, or have owners that are completely unaware of these issues and the basic rules of "hygiene" on the web. A number of the sites were either community, religious or charity sites. Sad.

The main takeaway here is that criminals can mess around all they want with computers, even become known, and probably experience no consequences except possible monetary enrichment and possibly the satisfaction of of their criminal impulses.

I was delighted to read that Wordfence was being proactive, until I finished reading and found out this was just more of the same letting hackers run roughshod wherever they pleased, only now we know the guys name. Or perhaps we don't.

Excellent article, the level of analysis was fascinating, you would like to think that zero tolerance should be the underlying attitude to these actions but this article shows some perspective on the practical challenges facing the police: http://www.thelocal.de/20140603/internet-crime-in-germany-at-a-record-high

I have to say, an article like this (and more specifically the ensuing discussion about legality and the lack of consequences for a hacker like this) illustrates why I stand behind Wordfence on issues like the recent Plugin injecting spammy links into site code intentionally. The sad fact is that almost none of the hackers that do things like this will ever face any real world consequences for doing so. The argument that there are "bigger fish to fry" is absolutely absurd; if someone breaks into your house and steals something from you, the police don't get to say "sorry, there are murderers out there, we have bigger fish to fry..."

That being said I am not naive to the fact that enforcement issues in a case like this are a sketchy at best. Many times something that to most of us would seem illegal in fact skirt the law quite intentionally. Technology progresses at such a rate that it is difficult if not impossible to legislate against the next type of attack because we often don't even know what it will be.

It may be disheartening, it may be frustrating, it may be "unfair," but the fact of the matter is that if you plan on using the internet to any significant degree and especially if you are the webmaster and/or designer of one or more sites, you are responsible for your own security within that space. This is why we need services like Wordfence; because most of us need a little help, and even if our "bodyguard" isn't legally allowed to tackle our attackers, they can at least point them out and tell us what's going on.

Keep up the good work guys. The more we all know the better able we are to protect ourselves!

Thanks for this article. I see a lot of people suggesting the legal (law enforcement) route.

Actually, have most of you looked at the news lately? The extent to which law enforcement is being stretched and the limits government has placed in front of those wanting to be protected, has resulted in an ineffective worldwide system.

There comes a time when people like those running Wordfence do a greater service by exposing the tactics of people wishing to do harm, and providing insights which may spark the interest of someone who may come up with a way to even better protect websites and content from harmful intent.

Fact of the matter is, regardless what were to happen if the authorities were notified, the result would very likely be that one person may receive a penalty and then return to do exactly what he was doing before. And he would be laughing all the while.

I prefer to see what is happening so I can show my own clients why it is so important to keep their sites and servers up to date.

If this hacker is successful with his attack, how small he is the damage for the admin/company/organizations can be huge.

Also what is the border when to do reporting and when not.
For me personally every non ethical hacker they should cut of there hands. I was hacked a few years ago, before I started to use Wordfence. My sites are clean but I still suffering form this hack.